Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Malware

IcoScript rat controlled via email services, including Yahoo and Gmail

Experts at the German security firm G-Data discovered a RAT dubbed IcoScript which receives commands from C&C via email services including Yahoo and Gmail. Security experts have detected a new Remote Administration Trojan dubbed IcoScript which is controlled by bad actors through Yahoo Mail and is able to elude detection systems by using seemingly benign domains for […]

IcoScript rat controlled via email services, including Yahoo and Gmail

Experts at the German security firm G-Data discovered a RAT dubbed IcoScript which receives commands from C&C via email services including Yahoo and Gmail.

Security experts have detected a new Remote Administration Trojan dubbed IcoScript which is controlled by bad actors through Yahoo Mail and is able to elude detection systems by using seemingly benign domains for C&C.

A researcher at the German security firm G-Data, Paul Rascagnères, has published an interesting analysis of the Remote Administration Trojan on Virus Bulletin, the malware syphons data from victims and transmits it connecting to a remote server over a specific port.

email IcoScript 2

This sample is a classic remote administration tool (RAT) but it has a particular way of communicating with its control server. It is very modular and it abuses popular web platforms (like Yahoo andGmail) for command and control communication.” reports the blog post.

The instance of IcoScript analyzed by experts at G-Data was using a Yahoo Mail account to receive commands from the C&C, the malicious code is controlled by sending specially crafted emails containing coded instructions.

“The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones.” “The step G is a crucial one. In addition to exfiltrating data, the malware checks available email in the mailbox (thanks to step E) and looks for the string pattern <<<<<<<< … >>>>>>>>. states the report.

The experts added that the IcoScript RAT, that is going undetected since 2012, could be easily modified to use as communication channel also other popular webmail providers, including Gmail.

 “We imagine that the author(s) can also use social media platforms such as Facebook and LinkedIn.” said the researcher.

The bad actors behind the IcoScript have chosen this mode to communicate with C&C because access to webmail services doesn’t trigger suspects for security teams of targeted organizations.

IcoScript uses Component Object Model to implement a communication channel on Windows systems, it makes HTTP requests for remote services through Internet Explorer, in case the targeted system uses a proxy (with authentication), the RAT is able to reuse the proxy token stored in the user session.

As explained by the researcher bad actors could improve IcoScript diversifying the sources of their command can control, making possible the malware accepting commands sent via any number of legitimate webmail providers, could storage services and social networking sites.

Pierluigi Paganini

(Security Affairs –  IcoScript,  RAT)